June 20, 2007
The Homeland Security Department's chief information officer needs to explain to Congress why he should keep his job in light of recently uncovered security lapses, the head of the House panel overseeing the department said Wednesday.
Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said he is not convinced DHS technology chief Scott Charbo is serious about fixing vulnerabilities in the department's information technology systems.
"If he's not committed to securing our networks, I have to question his ability to lead the department's IT efforts," Thompson said in an opening statement at a hearing before the panel's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "I can't understand for the life of me why it takes outside auditors to tell the CIO and his contractors that these networks are insecure."
Lawmakers called on Charbo to answer questions about numerous breaches uncovered by auditors. The Government Accountability Office reported that the department failed to fix vulnerabilities in the IT system supporting the US-VISIT program to track entrances and exits to the United States, for instance, and did not invest adequately in defensive measures.
Thompson questioned how the rest of the government and the private sector could take cybersecurity seriously if DHS doesn't fix its own configurations.
"A 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing," Thompson said. "The American people are tired of hearing that getting a D is a security improvement. I'm tired of hearing it."
In April, the department received a D grade on an annual congressional report card measuring compliance with the law governing federal information security. The department flunked the previous year.
Charbo said many of the findings cited by the subcommittee are based on data from a year ago and on legacy systems that are in the process of being replaced.
"The department takes these incidents very seriously and will work diligently to ensure they do not occur," Charbo said. "We need to increase our vigilance to ensure that such incidents do not happen again."
Charbo said that DHS Secretary Michael Chertoff's decision to boost the chief information officer's authority will result in a more "coherent and effective" use of IT resources.
"My authority over all of these areas directly affects our overall security posture," Charbo said. "IT programs and acquisitions are being reviewed at the department level to ensure that they are reconciled with the department's strategic goals."
According to subcommittee chairman Rep. James Langevin, D-R.I., the department experienced 844 security incidents in fiscal 2005 and fiscal 2006 on IT networks at its headquarters, the Immigration and Customs Enforcement bureau, U.S. Customs and Border Protection, the Federal Emergency Management Agency and elsewhere.
Congressional investigators found a password dumping application and other malicious files on two DHS systems, computers infected with multiple Trojan horses and viruses, hard copies of user identifications and passwords for a local administrator account, classified e-mails sent over unclassified networks, unauthorized users attaching their personal computers to the DHS network, unauthorized individuals gaining access to DHS equipment and data, and misconfigured firewalls.
"In spite of the significant vulnerabilities in its systems, the department doesn't appear to be in any rush to fix them," Langevin said. "I wish DHS exerted the same level of effort to protect its networks that our adversaries are exerting to penetrate them."
Langevin criticized the department for "failing to dedicate adequate funding" to IT security. While experts agree that agencies should allocate about 20 percent of their IT budgets to cybersecurity, DHS only spends about 6.7 percent to secure its systems, he said.
Charbo said, however, that consultants working with the department have recommended spending between 3 and 8 percent of the IT budget on security.
June 20, 2007